Great Circle Associates Majordomo-Users
(February 2006) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: MajorDomo Resetting User
From: Daniel Liston <dliston @ sonny . org>
Date: Fri, 24 Feb 2006 16:47:35 -0600
To: Majordomo-Users @ greatcircle . com
In-reply-to: <43FF82B3.9070106@bpecreative.com>
References: <200602152142.k1FLg9DO000600@mail.emacolet.com><076201c63279$64c71c80$6401a8c0@xp> <43F3F40C.6060804@queernet.org><43F5E154.5040302@bpecreative.com> <43FF56B1.3030308@sonny.org><43FF5D00.4090300@bpecreative.com> <43FF5E53.5030702@sonny.org><43FF82B3.9070106@bpecreative.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2)Gecko/20040804 Netscape/7.2 (ax) 
Bob Cohen wrote:
> 
> So here's what my majordomo log looks like:
> 
> Feb 13 07:53:23 narsil.nbtanet.org majordomo[3945] {morton@dcemail.com} 
> help
> Feb 13 07:53:54 narsil.nbtanet.org majordomo[3956] {shawnm@surfy.net} help
> Feb 16 17:13:45 narsil.nbtanet.org majordomo[32078] {"PayPal? 
> Inc."<service@payp
> al.com>} help
> Feb 16 22:29:47 narsil.nbtanet.org majordomo[10179] 
> {"accounting@nbtanet.org" <a
> ccounting@nbtanet.org>} help
> Feb 17 15:30:21 narsil.nbtanet.org majordomo[11363] 
> {"accounting@nbtanet.org" <a
> ccounting@nbtanet.org>} help
> Feb 17 15:33:03 narsil.nbtanet.org majordomo[11403] 
> {"accounting@nbta.net" <acco
> unting@nbta.net>} help
> log.1 (END)
> 
> 
> Does that mean someone is exploiting a majordomo vulnerability?  Because 
> to me this looks like somethings are getting sent via majordomo.
> 
> Likewise I found this entry in my most recent maillog:
> 
> Feb 24 10:29:18 narsil sendmail[2918]: k1OFTCE02917: 
> to="|/usr/lib/majordomo/wrapper majordomo", ctladdr=<majordomo@nb
> tanet.org> (8/0), delay=00:00:04, xdelay=00:00:00, mailer=prog, 
> pri=65731, dsn=2.0.0, stat=Sent
> 
> I'm not a sendmail guru and am therefore unsure how to interepret the 
> maillog entry.  But it looks like a message was sent to 
> "majordomo@nbtanet.org"
> 
> Or this:
> 
> Feb 24 10:29:53 narsil sendmail[2934]: k1OFTrt02934: 
> from=Majordomo-Owner@narsil.nbtanet.org, size=18620, class=0, nrc
> pts=1, msgid=<200602241529.k1OFTrt02934@narsil.nbtanet.org>, 
> relay=majordomo@localhost
> 
> The one above looks like a message was sent somwhere from 
> Majordomo-Owner@.  Am I getting abused by someone?
> 
> Bob

Each of the lines in your majordomo Log indicate a message has come
in that majordomo did not understand, so it sent a response with the
help file.  You can try this yourself.  Just email majordomo@your.domain
with any subject and just garbage in the message body.  Majordomo will
send you a reply with the help file explaining how to use majordomo at
your domain.

Since most spam has a forged or undeliverable From: address, majordomo
is probably replying to some innocent netstander.  In this case, yes
your majordomo is being abused.  If you are not also recieving bounce
messages back, someone is receiving those replies.

I would not call this a vulnerability, but working as designed.  If
majordomo receives a message it does not understand, it sends the help
file.  Remember, majordomo was written in the days when spam was still
just accidental.  Joe R. Jah has written a patch for majordomo that
might help with your situation.

ftp://ftp.ccsf.org/majordomo-patches/1.94.5/noCommand_noBounce.0

Dan Liston
References:
Indexed By Date Previous: MD, VERP and sendmail
From: "Peter P. Benac" <ppbenac@emacolet.com>
Next: Re: MD, VERP and sendmail
From: Daniel Liston <dliston@sonny.org>
Indexed By Thread Previous: Re: MajorDomo Resetting User
From: Bob Cohen <bcohen@bpecreative.com>
Next: Issue with "on behalf of" with outlook
From: "Allan P. Magmanlac" <allan.magmanlac@nrns.ca>
Google
 
Search Internet Search www.greatcircle.com